Bug 912018 - (CVE-2014-8275) VUL-0: CVE-2014-8275: openssl: Fix various certificate fingerprint issues
(CVE-2014-8275)
VUL-0: CVE-2014-8275: openssl: Fix various certificate fingerprint issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:running:60183:moderate maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-07 09:51 UTC by Marcus Meissner
Modified: 2022-02-16 21:16 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-01-07 09:51:39 UTC
via openssl git

commit 684400ce192dac51df3d3e92b61830a6ef90be3e
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Sat Dec 20 15:09:50 2014 +0000

    Fix various certificate fingerprint issues.
    
    By using non-DER or invalid encodings outside the signed portion of a
    certificate the fingerprint can be changed without breaking the signature.
    Although no details of the signed portion of the certificate can be changed
    this can cause problems with some applications: e.g. those using the
    certificate fingerprint for blacklists.
    
    1. Reject signatures with non zero unused bits.
    
    If the BIT STRING containing the signature has non zero unused bits reject
    the signature. All current signature algorithms require zero unused bits.
    
    2. Check certificate algorithm consistency.
    
    Check the AlgorithmIdentifier inside TBS matches the one in the
    certificate signature. NB: this will result in signature failure
    errors for some broken certificates.
    
    3. Check DSA/ECDSA signatures use DER.
    
    Reencode DSA/ECDSA signatures and compare with the original received
    signature. Return an error if there is a mismatch.
    
    This will reject various cases including garbage after signature
    (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
    program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
    (negative or with leading zeroes).
    
    CVE-2014-8275
    Reviewed-by: Emilia Käsper <emilia@openssl.org>
Comment 1 Marcus Meissner 2015-01-07 09:57:07 UTC
0.9.8 

commit ec2fede9467ae1a65f452d3a39f7fbc4891d9285
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Sat Dec 20 15:09:50 2014 +0000

    Fix various certificate fingerprint issues.
    
    By using non-DER or invalid encodings outside the signed portion of a
    certificate the fingerprint can be changed without breaking the signature.
    Although no details of the signed portion of the certificate can be changed
    this can cause problems with some applications: e.g. those using the
    certificate fingerprint for blacklists.
    
    1. Reject signatures with non zero unused bits.
    
    If the BIT STRING containing the signature has non zero unused bits reject
    the signature. All current signature algorithms require zero unused bits.
    
    2. Check certificate algorithm consistency.
    
    Check the AlgorithmIdentifier inside TBS matches the one in the
    certificate signature. NB: this will result in signature failure
    errors for some broken certificates.
    
    3. Check DSA/ECDSA signatures use DER.
    
    Reencode DSA/ECDSA signatures and compare with the original received
    signature. Return an error if there is a mismatch.
    
    This will reject various cases including garbage after signature
    (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
    program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
    (negative or with leading zeroes).
    
    CVE-2014-8275
    Reviewed-by: Emilia Käsper <emilia@openssl.org>
    
    (cherry picked from commit 208a6012be3077d83df4475f32dd1b1446f3a02e)
    
    Conflicts:
        crypto/dsa/dsa_vrf.c
Comment 2 Marcus Meissner 2015-01-07 09:58:00 UTC
there was an additional fix to this patch

commit cb62ab4b17818fe66d2fed0a7fe71969131c811b
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Tue Jan 6 20:55:38 2015 +0000

    use correct function name
    
    Reviewed-by: Rich Salz <rsalz@openssl.org>
    Reviewed-by: Matt Caswell <matt@openssl.org>

please also include that
Comment 3 Marcus Meissner 2015-01-07 09:58:41 UTC
1.0.1.

commit a8565530e27718760220df469f0a071c85b9e731
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Sat Dec 20 15:09:50 2014 +0000

    Fix various certificate fingerprint issues.
    
    By using non-DER or invalid encodings outside the signed portion of a
    certificate the fingerprint can be changed without breaking the signature.
    Although no details of the signed portion of the certificate can be changed
    this can cause problems with some applications: e.g. those using the
    certificate fingerprint for blacklists.
    
    1. Reject signatures with non zero unused bits.
    
    If the BIT STRING containing the signature has non zero unused bits reject
    the signature. All current signature algorithms require zero unused bits.
    
    2. Check certificate algorithm consistency.
    
    Check the AlgorithmIdentifier inside TBS matches the one in the
    certificate signature. NB: this will result in signature failure
    errors for some broken certificates.
    
    3. Check DSA/ECDSA signatures use DER.
    
    Reencode DSA/ECDSA signatures and compare with the original received
    signature. Return an error if there is a mismatch.
    
    This will reject various cases including garbage after signature
    (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
    program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
    (negative or with leading zeroes).
    
    CVE-2014-8275
    Reviewed-by: Emilia Käsper <emilia@openssl.org>
    
    (cherry picked from commit 684400ce192dac51df3d3e92b61830a6ef90be3e)


and
commit 178c562a4621162dbe19a7c34fa2ad558684f40e
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Tue Jan 6 20:55:38 2015 +0000

    use correct function name
    
    Reviewed-by: Rich Salz <rsalz@openssl.org>
    Reviewed-by: Matt Caswell <matt@openssl.org>
    (cherry picked from commit cb62ab4b17818fe66d2fed0a7fe71969131c811b)
Comment 4 Swamp Workflow Management 2015-01-07 23:00:44 UTC
bugbot adjusting priority
Comment 5 Marcus Meissner 2015-01-08 16:08:29 UTC
openssl.org/news/secadv_20150108.txt 


Certificate fingerprints can be modified (CVE-2014-8275)
========================================================

Severity: Low

OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. By modifying the contents of the
signature algorithm or the encoding of the signature, it is possible
to change the certificate's fingerprint.

This does not allow an attacker to forge certificates, and does not
affect certificate verification or OpenSSL servers/clients in any
other way. It also does not affect common revocation mechanisms. Only
custom applications that rely on the uniqueness of the fingerprint
(e.g. certificate blacklists) may be affected.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and
0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

One variant of this issue was discovered by Antti Karjalainen and
Tuomo Untinen from the Codenomicon CROSS program and reported to
OpenSSL on 1st December 2014 by NCSC-FI Vulnerability
Co-ordination. Another variant was independently reported to OpenSSL
on 12th December 2014 by Konrad Kraszewski from Google. Further
analysis was conducted and fixes were developed by Stephen Henson of
the OpenSSL core team.
Comment 6 Bernhard Wiedemann 2015-01-09 12:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (912018) was mentioned in
https://build.opensuse.org/request/show/280570 Factory / openssl
Comment 15 Swamp Workflow Management 2015-01-23 19:05:48 UTC
openSUSE-SU-2015:0130-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 911399,912014,912015,912018,912292,912293,912294,912296
CVE References: CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206
Sources used:
openSUSE 13.2 (src):    openssl-1.0.1k-2.16.2
openSUSE 13.1 (src):    openssl-1.0.1k-11.64.2
Comment 17 Swamp Workflow Management 2015-01-29 00:06:40 UTC
SUSE-SU-2015:0166-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 912014,912015,912018,912292,912293,912294,912296
CVE References: CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205
Sources used:
SLE CLIENT TOOLS 10 for x86_64 (src):    openssl-0.9.8a-18.88.1
SLE CLIENT TOOLS 10 for s390x (src):    openssl-0.9.8a-18.88.1
SLE CLIENT TOOLS 10 (src):    openssl-0.9.8a-18.88.1
Comment 18 Swamp Workflow Management 2015-01-29 06:06:00 UTC
SUSE-SU-2015:0172-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 912014,912015,912018,912293,912294,912296
CVE References: CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205
Sources used:
SUSE Studio Onsite 1.3 (src):    openssl-0.9.8j-0.68.1
SUSE Manager 1.7 for SLE 11 SP2 (src):    openssl-0.9.8j-0.68.1
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.88.1
Comment 19 Swamp Workflow Management 2015-01-31 02:06:19 UTC
SUSE-SU-2015:0172-2: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 912014,912015,912018,912293,912294,912296
CVE References: CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    openssl-0.9.8j-0.68.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    openssl-0.9.8j-0.68.1
SUSE Linux Enterprise Server 11 SP3 (src):    openssl-0.9.8j-0.68.1
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    openssl-0.9.8j-0.68.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    openssl-0.9.8j-0.68.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    openssl-0.9.8j-0.68.1
Comment 20 Swamp Workflow Management 2015-01-31 05:06:35 UTC
SUSE-SU-2015:0181-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 906878,912014,912015,912018,912292,912293,912294,912296
CVE References: CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206
Sources used:
SUSE Linux Enterprise Security Module 11 SP3 (src):    openssl1-1.0.1g-0.24.1
Comment 21 Swamp Workflow Management 2015-01-31 06:06:21 UTC
SUSE-SU-2015:0182-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 912014,912015,912018,912293,912296
CVE References: CVE-2014-3570,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    compat-openssl097g-0.9.7g-13.27.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    compat-openssl097g-0.9.7g-146.22.27.1
SLES for SAP Applications (src):    compat-openssl097g-0.9.7g-146.22.27.1
Comment 22 Marcus Meissner 2015-02-03 16:36:51 UTC
released
Comment 23 Swamp Workflow Management 2015-02-03 17:11:07 UTC
SUSE-SU-2015:0205-1: An update that solves 7 vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 855676,895129,901902,906878,908362,908372,912014,912015,912018,912292,912293,912294,912296
CVE References: CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    openssl-1.0.1i-17.1
SUSE Linux Enterprise Server 12 (src):    openssl-1.0.1i-17.1
SUSE Linux Enterprise Desktop 12 (src):    openssl-1.0.1i-17.1
Comment 24 Swamp Workflow Management 2015-02-17 15:06:07 UTC
SUSE-SU-2015:0305-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 892403,912014,912015,912018,912293,912294,912296
CVE References: CVE-2014-0224,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    compat-openssl098-0.9.8j-70.2
SUSE Linux Enterprise Desktop 12 (src):    compat-openssl098-0.9.8j-70.2
Comment 25 Swamp Workflow Management 2015-02-23 18:05:46 UTC
SUSE-SU-2015:0182-2: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 912014,912015,912018,912293,912296
CVE References: CVE-2014-3570,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP1 (src):    compat-openssl097g-0.9.7g-146.22.27.1
Comment 26 Swamp Workflow Management 2015-03-23 23:06:58 UTC
SUSE-SU-2015:0578-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 802184,880891,890764,901223,901277,905106,912014,912015,912018,912293,912296,920236,922488,922496,922499,922500,922501
CVE References: 
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP2 (src):    compat-openssl097g-0.9.7g-146.22.29.1
Comment 27 Swamp Workflow Management 2015-07-22 13:08:01 UTC
openSUSE-SU-2015:1277-1: An update that solves 16 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 912015,912018,912292,912293,912296,919648,920236,922496,922499,922500,931600,934487,934489,934491,934493,934494,937891
CVE References: CVE-2014-3570,CVE-2014-3572,CVE-2014-8176,CVE-2014-8275,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1792,CVE-2015-4000
Sources used:
openSUSE 13.2 (src):    libressl-2.2.1-2.3.1
Comment 29 Swamp Workflow Management 2022-02-16 21:16:51 UTC
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.